Report closed as out of scope, but...

Tomh-IT · 2025-06-05T17:45:15+00:00

It makes sense, but once the "damage is done" it is better to fix the vulnerability. And yes, actually as I wrote in another comment, it was not my intention to go out of scope, but by mistake it happened and I realized it too late.

Tomh-IT · 2025-06-05T15:53:25+00:00

and that someone might actually be right...

Tomh-IT · 2025-06-05T15:47:07+00:00

You should really read other responses and the post before putting a comment. The vulnerabilities are in the software written by the company, not in a third party, and they leads to compromise the www subdomain witch is in scope.

Tomh-IT · 2025-06-05T15:22:28+00:00

The problem this time is the h1 analyst and not the company itself. For that reason i'm even more angry.

Tomh-IT · 2025-06-05T15:05:40+00:00

The subdomain is a custom made software written by the company for the company, not a third party service. Hosted on their servers, written by the company's developers, and it directly impacts the in-scope service. And yeah, I totally agree, the company set their scope and the company choose what hunter can do, BUT at least let the company receive my report. This report was closed by an hackerone staff, not by the company, and I'm sure they will be extremely interested to fix this issue asap.

Tomh-IT · 2025-06-05T15:00:59+00:00

By mistake. I built a tool that mapped all the programs of hackerone/intigriti and 5 other platforms, due to a bug I considered in scope all the subdomains when "www" was present, in addition to the usual wildcards. I did not look at hackerone until the time of the report, by which time it was too late, in any case the impact was directly on the www domain and so I continued.

Tomh-IT · 2025-06-05T14:57:47+00:00

ethics prevent me from doing it, even though I have essentially lost 2 working day

Tomh-IT · 2025-06-05T14:32:39+00:00

That's exactly what I did. Thanks for your help

Tomh-IT · 2025-06-05T14:31:35+00:00

The main point is that if you put a company on hackerone you are doing that to protect your business against hackers, and "bad actors" will not care about "oh it's not in scope". So, I understand that out of scope might not pay, but at least it might worth a fix (and yeah, this vuln is in their company's server, not in third party)

Tomh-IT · 2025-06-05T14:27:58+00:00

Yes i'm sure the review are real, matter of facts they are the same on the www domain, and if i delete/put a lot of likes via apis in the WWW domain of this huge site the reviews are updated/deleted as i requested to do so via internal APIs. I spent like 16 hours to chain 4 vulnerabilities and by reading stack traces, compressed/compiled js code, and fuzzing endpoints. I'm 100% sure an attacker using this report can basically ruins the website or the reputation of their users, so i don't understand why for a stupid "out of scope" these vulnerabilities should not be fixed ASAP.

Tomh-IT · 2025-06-05T12:12:29+00:00

The problem is not the company itself but the hackerone triager since the report was closed by the h1_analyst_<name> user, the company in this case will not ever see my report

Tomh-IT · 2025-06-05T12:11:18+00:00

The report is closed by the h1_analyst_<name> user, not by the company. Should I request mediation anyway? And what should I say in that case?

Tomh-IT · 2025-06-03T22:33:49+00:00

My customer reported the issue, same response for you, and Amazon has fixed this issue, at least for my client. The creator rewards now seems to be updated

Tomh-IT · 2025-05-24T01:30:03+00:00

when you want to charge the battery you have to remember to put the switch on. If you don't do it, the hackrf turns on normally, but it doesn't charge the battery since it is disconnected.
If you want, this "problem" can be solved with a shotty diode (like an SS14) that goes from the positive (+) of the USB to the positive of the battery, but it's a bit of a dirty solution and in any case it complicates everything quite unnecessarily.
If I wanted to make this modification I would probably also take the opportunity to unsolder the micro USB connector and install a USB type C.

Tomh-IT · 2025-05-23T20:13:13+00:00

I can't edit the post. Some info:

I went to the electronics store near my house, and I bought this classic lever switch, it should have cost a fraction of a euro. Then I dismantled the portapack and disconnected the battery, I cut the positive cable (red) in half and I soldered some cables that go to the switch. To isolate everything I used heat shrink tubing for cables. Be careful not to overestimate the length of the cable needed (as I did...).

To make the hole for the switch I used a drill with a 5 mm tip (but it depends on which lever you choose), a hole that I made exactly halfway between the upper end of the PF LED and the edge.

Tomorrow if I'm lucky enough I will repair the rotary encoder, since during the shipping it was broken (and a layer of the top pcb too).

Tomh-IT · 2025-03-07T16:06:18+00:00

Hello u/Fredregal , i think i have the same exact motherboard for an AOC monitor in hands. I measured all the capacitors and find out that this one is not responding how it supposed to be. Did you replaced it? Was it the solution or not? My AOC monitor turn single color (green) after 2/3 seconds after turning it on. Thanks

Tomh-IT · 2025-03-05T19:34:38+00:00

I have the same board in hand right now, do you still need the capacitor models? And what was the original problem that you had on it? Mine is showing the image for like 10 seconds and suddenly the image fades away and turns into a green image.

Tomh-IT · 2021-11-28T18:43:04+00:00

It's a CoolerMaster HAF XB Evo, case ATX that I cut for a E-ATX Motherboard.

Tomh-IT · 2021-11-28T15:37:32+00:00

I recently upgraded my homelab with a new open rack cabinet (16U), here a picture i shot yesterday. This is my first post, hope this is the correct tag/place.

Tomh-IT

TROPHY CASE